8 Using the Host Monitor Agent
When you deploy the Database Firewall in Monitoring (Host Monitor) mode, the Host Monitor Agent captures SQL traffic from the network interface card of the host machine that is running the target database and securely forwards it the Database Firewall.
8.1 About Host Monitoring
You can deploy Database Firewall in Monitoring (Host Monitor) mode.
Database Firewall monitors and analyzes the SQL traffic to the database. You can configure Database Firewall in the following deployment modes:
- Monitoring / Blocking (Proxy)
- Monitoring (Out-of-Band)
- Monitoring (Host Monitor)
For descriptions of these deployment modes, see Introduction to Database Firewall Deployment.
The Monitoring (Host Monitor) deployment mode requires a Host Monitor Agent to be deployed on the host machine where the target database is running. You can configure the Host Monitor Agent to capture SQL traffic on ports that the database is listening on. The Host Monitor Agent can capture SQL traffic of multiple databases that are running on a single host machine, and it can capture SQL traffic when there are multiple network paths from clients to the target database.
After you deploy and configure the Host Monitor Agent on the agent machine, it performs the following actions:
- Captures SQL traffic on ports that the database is listening on
- Forwards the SQL traffic securely to Database Firewall
8.2 Installing and Enabling the Host Monitor Agent
Use this process to install and enable the Host Monitor Agent.
- Deploy the Host Monitor Agent on all the database servers where the database is running.
- Register the target.
- Create a Database Firewall monitoring point in Monitoring (Host Monitor) mode.
-
Change the Database Firewall policy for the target from Default to the appropriate policy, if needed.
See Types of Database Firewall Policies for the different policy types.
- Configure a
NETWORK
audit trail for the monitored target.
Note:
- The Host Monitor Agent is supported on Linux, Solaris, AIX, and Windows platforms. It can monitor any database that is supported by the Database Firewall. See Table C-1 for supported databases.
- The Host Monitor Agent supports the Solaris IPNET link type on Oracle Solaris SPARC64 and x86-64.
- The Host Monitor Agent supports the Ethernet (EN10MB) link type for all supported platforms.
- The Host Monitor Agent does not capture the SQL traffic from Oracle Database's Bequeath connections.
8.2.1 Host Monitor Agent Requirements
The Host Monitor Agent has different requirements for installation, depending on the platform.
To install the Host Monitor Agent on the Windows platform, follow these requirements:
- Ensure that the Audit Vault Agent is running on the database server machine.
-
Follow the Npcap installation requirements for your Oracle Audit Vault and Database Firewall (Oracle AVDF) release.
Host Monitoring on Windows requires Npcap for capturing network traffic.
-
For Oracle AVDF release 20.6 and later, Npcap is automatically installed along with the agent installation.
Installing Npcap removes any existing installation of Npcap or WinPcap from the Windows host machine.
-
For Oracle AVDF release 20.5, Npcap is automatically downloaded along with the agent software (
agent.jar
) file.Use the Npcap installer file that is available under the
Agent_Home\hm
directory. -
For Oracle AVDF release 20.4 and earlier, install Npcap from the
avdf20-utility.zip
bundle on Oracle Software Delivery Cloud. It is part of the Oracle AVDF installable files. Select the WinPcap-API-compatible option when installing Npcap.
-
- Install the latest version of the OpenSSL (1.1.1g or higher)
libraries.
OpenSSL 1.1.1 and earlier on Windows platforms was deprecated in Oracle AVDF 20.11, and it will be desupported in one of the future releases. To prevent issues, you should move to OpenSSL 3.0.13 or later.
- Ensure that the Windows target machine has the latest update of the
Visual C++ Redistributable for Visual Studio 2015 (
MSVCRT.dll (*)
or later) package from Microsoft installed. -
If a network firewall is present, allow communication on port range 2050 - 5200.
This is required for communication between the database server and the Database Firewall.
To install the Host Monitor Agent on a Linux, Unix, AIX, or Solaris platform, follow these requirements:
- Ensure that the Audit Vault Agent is running on the database server machine.
-
Ensure that the latest version of the following packages from the operating system vendor are installed for the specific operating system version on the database server machine:
- Libcap (for Linux hosts only)
- LibPcap
- OpenSSL
-
Ensure that
gmake
is installed for AIX database servers.For other Unix database server types (Linux, Unix, or Solaris), ensure that
make
is installed. This is required for the Host Monitor Agent to run successfully. -
If a network firewall is present, allow communication on port range 2050 - 5200.
This is required for communication between the database server and the Database Firewall.
-
Ensure that the input output completion ports (IOCP) setting is
It's set toavailable
for IBM AIX on Power Systems (64-bit).defined
by default. -
Ensure that all directories in the path of the Host Monitor Agent install location have 755 as the permission bits, starting from the root directory.
This is required because the Host Monitor Agent has to be installed in a root-owned location.
- Ensure that the Host Monitor Agent is installed by the root user.
See Also:
Enabling and Using Host Monitoring for host monitoring instructions and prerequisites.
8.2.2 Validation During Host Monitor Agent Deployment
Learn about validations performed by Oracle AVDF when deploying the Host Monitor Agent.
Starting Oracle AVDF release 20.6, the following validations performed on the Linux/Unix/AIX/Solaris platforms when deploying the Host Monitor Agent. These requirements are mandatory and have to be complied without which the Host Monitor Agent installation cannot be completed.
- The Host Monitor Agent is being installed as root user.
- When installing the Host Monitor Agent on a Windows platform, it must be installed by an administrator user.
- If Host Monitor Agent process is already running on the host machine.
- If the Input Output Completion Ports (IOCP) is set to
available
for IBM AIX on Power Systems (64-bit). - If gmake is installed for AIX database servers. For other Unix database server types (Linux/Unix/Solaris), check if make is installed.
- If symlinks of
libssl
,libcrypto
,libnsl
libraries are present. In case of Linux checks for additional symlinklibaio
is performed.
Note:
If you run into any issues, see the following topics for more information:
8.2.3 Registering the Host Machine That Will Run the Host Monitor Agent
Learn how to register the host machine (such as a database server) on the Audit Vault Server.
To register a host on the Audit Vault Server, see Registering Hosts on the Audit Vault Server.
8.2.4 Deploying the Audit Vault Agent and Host Monitor Agent
Learn how to deploy the Audit Vault Agent and Host Monitor Agent on platforms like Linux, Solaris (x86-64), Solaris (Sparc64), AIX, and Windows.
8.2.4.1 Deploying the Host Monitor Agent on a Windows Host Machine
On Windows, the Host Monitor Agent is installed by the Audit Vault Agent. There are no separate Host Monitor Agent installable bundles available for download in the Audit Vault Server console. No separate action is required to install the Host Monitor Agent on Windows.
Follow these instructions before installing the Host Monitor Agent or updating from an older Oracle AVDF release.
8.2.4.1.1 Installing OpenSSL
The Host Monitor Agent uses OpenSSL to communicate with the Audit Vault Server and Database Firewall. OpenSSL 1.1.1g (or later) must be installed on the Windows host machine.
OpenSSL 1.1.1 and earlier on Windows platforms was deprecated in Oracle AVDF 20.11, and it will be desupported in one of the future releases. To prevent issues, you should move to OpenSSL 3.0.13 or later.
Note:
While installing OpenSSL on Windows machine, you are prompted to choose a location to copy the OpenSSL DLLs as an additional configuration step. It is recommended that you choose the Windows System Directory option, as this location is added to thePath
environment variable on Windows machine by default. Else, if you choose the
OpenSSL bin directory option, then ensure the location is
added to the Path
environment variable.
Follow these steps to change environment variables after installing OpenSSL:
- In the Windows host machine, navigate to Control Panel.
- Click System, and then click Advanced system settings.
- In the Advanced tab, click on Environment Variables button.
- The Environment Variables dialog is displayed.
In the System variables box, select
Path
under the Variable column. - Click Edit button. The Edit environment variable dialog is displayed.
-
Add the location of the OpenSSL bin directory at the beginning of the
Path
variable. - Click OK to save the changes, and then exit all the dialogs.
8.2.4.1.2 Installing Npcap
Host Monitoring on Windows requires Npcap for capturing network traffic.
8.2.4.1.2.1 Installing Npcap for a Fresh Installation of the Host Monitor Agent
Follow these steps to install Npcap for a fresh installation of the Host Monitor Agent.
Note:
For Oracle AVDF release 20.6 and later, Npcap is automatically installed along with the Agent installation. Installing Npcap removes any existing installation of Npcap or WinPcap from the Windows host machine. The following steps are not required for release 20.6 and later.- Log in to Oracle Software Delivery Cloud.
-
Note and follow Npcap manual installation details:
-
For Oracle AVDF release 20.5 and later, Npcap is automatically downloaded along with the Agent software (
agent.jar
) file. The Npcap installer file is available underAgent_Home\hm
directory. -
For Oracle AVDF release 20.4 and earlier, install Npcap that is available in the
avdf20-utility.zip
bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files. Ensure to install Npcap in WinPcap-API-compatible mode.
-
-
Install Npcap. For Oracle AVDF releases 20.5 and earlier, complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode. Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.
8.2.4.1.2.2 Updating from Oracle AVDF 12.2 BP13, 12.2 BP14, or 20.1 - 20.4 to Oracle AVDF 20.5 or Later
Before updating from Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 BP13, 12.2 BP14, or 20.1 - 20.4 to Oracle AVDF 20.5 or later, follow these steps to reinstall Npcap.
- Log in to Oracle Software Delivery Cloud.
-
Reinstall the Npcap that is available in the
avdf20-utility.zip
bundle on the Oracle Software Delivery Cloud. It's part of the Oracle AVDF installable files.Be sure to reinstall Npcap in WinPcap-API-compatible mode. This removes any existing installations of Npcap or WinPcap from the Windows machine.
8.2.4.1.2.3 Updating from Oracle AVDF 12.2 BP9 or 12.2 BP10 to Oracle AVDF 20.1 or Later
Before updating from Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 BP9 or 12.2 BP10 to Oracle AVDF 20.1 or later, follow these steps to reinstall Npcap.
Host Monitoring on Windows functionality requires Npcap. Follow these steps to continue using Host Monitor Agent on Windows from 12.2.0.9.0 or 12.2.0.10.0, before upgrading to Oracle Audit Vault and Database Firewall release 20:
- Stop the Audit Vault Agent running on the Windows host machine.
- Log in to 12.2 Audit Vault Server console as administrator.
- Verify the audit trails and the Audit Vault Agent are in
STOPPED
state. - Log in to My Oracle Support, and download Npcap that is available with Oracle AVDF release 20 upgrade files.
-
Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.
Note:
Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine. - Follow verification steps below to ensure Npcap installation is completed successfully.
- Restart the Audit Vault Agent on the Windows host machine.
- Start the network trails using the Audit Vault Server console.
- The Host Monitor Agent is now powered by Npcap during runtime. Verify the network trail collection.
- Proceed with the Audit Vault Server upgrade.
Note:
- Ensure the audit trails and the Audit Vault Agent are in
STOPPED
state, before installing Npcap. Else, an error may be encountered. - Do not delete the DLL files as they are created newly by Npcap installation.
8.2.4.1.2.4 Verifying the Npcap Installation
After you install or upgrade Npcap, verify that the installation was successful.
-
In addition to the Windows
System
directory, Npcap copies the DLL files to the Npcap sub-directory inside the WindowsSystem
directory. Do not remove the DLL files from the WindowsSystem
directory.Note:
Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the WindowsSystem
directory which is already there in the systemPath
environment variable. -
Add the
Npcap
sub directory inside the WindowsSystem
directory to thePath
environment variable, by following the steps below:- Navigate to Control Panel.
- Click System, and then click Advanced system settings.
- In the Advanced tab, click on Environment Variables button.
- The Environment Variables dialog is
displayed. In the System variables box, select
Path
under the Variable column. - Click Edit button. The Edit environment variable dialog is displayed.
- Add the location of the Npcap DLL files at the beginning of the
Path
variable. For example:C:\Windows\System32\Npcap
- Click OK to save the changes, and then exit all the dialogs.
- Confirm the changes in the
Path
environment variable.
8.2.5 Creating a Target for the Host-Monitored Database
Learn how to create a target for the host-monitored database.
To create a target, see Registering or Removing Targets in Audit Vault Server.
8.2.6 Creating a Monitoring Point for the Host Monitor Agent
A monitoring point is a logical entity on the Database Firewall host that contains the configuration and rules for monitoring the SQL traffic that is received.
8.2.7 Create a Network Audit Trail
Learn how to create network audit trails.
Specify NETWORK for the audit trail type, see Adding Audit Trails with Agent-Based Collection for more information.
For monitoring multiple nodes of an Exadata or RAC database using network trail, create a separate target for each node.
Note:
Ensure that the collection attributenetwork_device_name_for_hostmonitor
is configured for the
targets that are monitored by the Host Monitor Agent. The name of the network
interface card is the attribute value. The network interface card receives all the
network traffic of the target database.
Starting with AVDF 20.10, network trails are monitored hourly. Alerts are generated
and email notifications are sent out if network trail is in
STOPPED_ERROR
state.
8.2.8 Check the Value of the
network_device_name_for_hostmonitor
Attribute
The collection attribute
network_device_name_for_hostmonitor
should be configured for the
targets that are monitored by the Host Monitor Agent. The attribute value is the name of the
network interface card. The network interface card receives all the network traffic of the
target database. Follow these steps to check the value of the
network_device_name_for_hostmonitor
attribute.
Linux/AIX/Solaris Hosts
- Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.
-
Execute the following command to list the network device details present in the host machine:
ifconfig -a
- From the output displayed, search for the IP address that was noted in the
initial step. The corresponding name of the network card is the value of the
collection attribute
network_device_name_for_hostmonitor
.
Windows Hosts
- Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.
- Execute the following command to list the network device details present in the
host machine:
ipconfig /all
Note:
This command displays the Physical Address, IPv4 Address, and other details for every device. - From the output displayed, search for the device which has an IPv4 Address that was noted in the initial step. Make a note of the corresponding Physical Address.
- Execute the command:
This will display the device name against the corresponding Physical Address. Make a note of the Device Name for the Physical Address determined in the previous step.getmac
- After the Device Name is determined, observe it is in the following
form:
\Device\Tcpip_{********-****-****-****-************}
. - Copy this Device Name to use as the attribute value by replacing
Tcpip
withNPF
.For example, for a network card with the name
\Device\Tcpip_{********-****-****-****-************}
the attribute value is,\Device\NPF_{********-****-****-****-************}
.
8.3 Starting, Stopping, and Other Host Monitor Agent Operations
Learn about starting, stopping, and other Host Monitor Agent operations.
8.3.1 Starting the Host Monitor Agent
Starting the Host Monitor Agent involves starting collection for the NETWORK audit trail on the host that you're monitoring.
To start the Host Monitor Agent from the Audit Vault Server console:
8.3.2 Stopping the Host Monitor Agent
To stop the Host Monitor Agent, stop the audit trail that you created for the target that is being monitored.
8.3.3 Changing the Logging Level for a Host Monitor Agent
Learn about changing the logging level for Host Monitor Agents.
8.3.4 Viewing Host Monitor Agent Status and Details
You can view whether a Host Monitor Agent is installed and information like its location, version, update time, and other details.
8.3.5 Checking the Status of a Host Monitor Agent Audit Trail
Learn how to check the status of a Host Monitor Agent audit trail.
- Log in to the Audit Vault Server console as an auditor.
- Click the Targets tab, and then from the left navigation menu, select Audit Trails.
- In the status page that appears, in the Audit Trail Type column, search for audit trails of type NETWORK to find audit trails for Host Monitor Agents.
8.3.6 Uninstalling a Host Monitor Agent (Unix Hosts Only)
This procedure applies to Unix hosts only. On Windows hosts, the Host Monitor Agent is installed as part of the Audit Vault Agent, so you don't need to uninstall the Host Monitor Agent. However after uninstalling the Audit Vault Agent from a Windows host, you should also uninstall Npcap.
8.4 Updating a Host Monitor Agent (Unix Hosts Only)
When you update the Audit Vault Server to a new release, the Host Monitor Agent is automatically updated.
8.5 Using Mutual Authentication for Communication Between the Database Firewall and the Host Monitor Agent
By default, the Database Firewall allows the Host Monitor Agent connection based on one-way authentication. To provide mutual authentication, follow these steps after installing the Host Monitor Agent.
- Stop the network trail associated with the firewall where mutual authentication needs to be enabled.
- On the Database Firewall, log in as
root
and run the following commands:-
For Oracle AVDF release 20.7 and later:
cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
chown arbiter:arbiter /usr/local/dbfw/etc/fw_ca.crt
chmod 400 /usr/local/dbfw/etc/fw_ca.crt
/usr/local/dbfw/bin/dbfwctl restart
-
For Oracle AVDF release 20.6 and earlier:
cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
chown dbfw:dbfw /usr/local/dbfw/etc/fw_ca.crt
chmod 400 /usr/local/dbfw/etc/fw_ca.crt
/usr/local/dbfw/bin/dbfwctl restart
-
-
On the Audit Vault Server, log in as
root
and complete the following steps:- Change to the
/usr/local/dbfw/etc
directory. -
Run the following commands:
openssl genrsa -out hmprivkey.perm 2048
openssl req -new -key hmprivkey.perm -out hmcsr.csr -subj "/CN=Hostmonitor_Cert_hostname/"
The
hostname
is the name of the database server where the Host Monitor Agent is installed. -
Generate a signed certificate by running the following command:
/usr/local/dbfw/bin/generate_casigned_hmcert.sh
The signed certificate file,
hmcert.crt
, is generated in the/usr/local/dbfw/etc
directory.
- Change to the
-
Copy the following files from the Audit Vault Server to the HOSTMON_HOME directory on the database server where the Host Monitor Agent is installed:
/usr/local/dbfw/etc/hmcert.crt
/usr/local/dbfw/etc/hmprivkey.perm
-
(Unix hosts only) As
root
, run the following commands:chown root:root Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
chmod 400 Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
- (Windows hosts only) Ensure that the
hmcert.crt
andhmprivkey.perm
haveagent
user ownership and appropriate permissions to prevent unwanted user access. - Repeat steps three to six for every Host Monitor Agent that is using the Database Firewall from step 2 .
- Start all the network trails to capture the network traffic.
- If more than one Database Firewall is used, repeat all the above steps for each.
Related Topics